Valtimo Inbox Handling Service Logging Vulnerability Exposes Sensitive Data

A vulnerability in the Valtimo InboxHandlingService has been identified, affecting versions 13.0.0 prior to 13.21.0. The service logs the full content of incoming inbox messages at the INFO level, potentially exposing highly sensitive information such as personal data, citizen identifiers, and case details. This logged data is accessible to anyone with access to application logs, as well as Valtimo users with admin roles through the Admin UI logging module.

Impact

The vulnerability leads to unauthorized exposure of sensitive data, including personal information, citizen identifiers, and case details, to users with admin roles via the Admin UI logging module.

Reproduction

To reproduce this vulnerability, send a message through the inbox and observe that the full payload is logged at the INFO level. Additionally, send a malformed message through the inbox, which will be silently dropped without any log output. Publishing a DocumentUpdated event without a resultId will trigger a KotlinNullPointerException, and sending a ConfigurationIssueUpdated event without a caseDefinitionVersionTag will result in a meaningless event being dispatched.

Remediation

Users can upgrade to Valtimo version 13.22.0, where this vulnerability has been fixed. If an immediate upgrade is not possible, access to application logs can be restricted, and the log level for 'com.ritense.inbox' can be adjusted to WARN or higher in the application configuration.